refactor: upgrade Dockerfile to zero-dependency scratch image
Some checks failed
Go Build & Release / build (amd64, imagehost-linux-amd64, linux) (push) Has been cancelled
Go Build & Release / build (amd64, imagehost-macos-amd64, darwin) (push) Has been cancelled
Go Build & Release / build (amd64, imagehost-windows-amd64.exe, windows) (push) Has been cancelled
Go Build & Release / build (arm64, imagehost-linux-arm64, linux) (push) Has been cancelled
Go Build & Release / build (arm64, imagehost-macos-arm64, darwin) (push) Has been cancelled
Go Build & Release / docker (push) Has been cancelled

This commit is contained in:
RainySY
2026-04-09 04:14:54 +08:00
parent 7767d713d7
commit 13ab2b0364

View File

@@ -1,7 +1,10 @@
# ==== 第一阶段: 编译打包层 ==== # ==== 第一阶段: 编译打包层 ====
FROM golang:alpine AS builder FROM golang:alpine AS builder
# 释放跨平台交叉编译的限制 (移除了大陆专供的 GOPROXY避免在 Github 官方机房海外服务器中产生网络不兼容报错) # 第一时间安装最详尽的根证书与时域数据源,这是最后提取所必须的物质
RUN apk add --no-cache ca-certificates tzdata
# 开启 CGO_ENABLED=0这是逃逸出系统依赖实现真正的静态单文件极限打包的关键
ENV GO111MODULE=on \ ENV GO111MODULE=on \
CGO_ENABLED=0 \ CGO_ENABLED=0 \
GOOS=linux \ GOOS=linux \
@@ -9,30 +12,27 @@ ENV GO111MODULE=on \
WORKDIR /app WORKDIR /app
# 优先缓存和下载项目依赖
COPY go.mod go.sum ./ COPY go.mod go.sum ./
RUN go mod download RUN go mod download
# 载入完整代码并执行剥离调试信息的极限压缩静态编译 (-ldflags="-w -s")
COPY . . COPY . .
RUN go build -ldflags="-w -s" -o imagehost ./cmd/main.go RUN go build -ldflags="-w -s" -o imagehost ./cmd/main.go
# ==== 第二阶段: 纯净运行环境层 ==== # ==== 第二阶段: 绝对物理真空层 (Scratch) ====
FROM alpine:latest # 既然 Alpine 的组件总能被扫出各种各样的零日陈旧漏洞,那么最好的防御就是不要任何组件系统!
# Scratch 中连 Shell / Bash / busybox 都没有,真正从物理维度杜绝了各类越权注入与 CVE 扫描报警。
FROM scratch
# 123云盘采用硬 TLS 协议,必须拉取 ca-certificates否则网络连接拦截报错 # 从刚才的工厂层提炼出我们的核心支撑数据(时间树与 HTTPS 证书)
# TZdata 用于纠正容器运行内的时间对齐,保障授权握手不过期 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
RUN apk --no-cache add ca-certificates tzdata COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo
ENV TZ=Asia/Shanghai ENV TZ=Asia/Shanghai
WORKDIR /app WORKDIR /app
# 将上一阶段萃取好的精华可执行程序抓取过来
COPY --from=builder /app/imagehost . COPY --from=builder /app/imagehost .
# 暴露对外的 HTTP 接口
EXPOSE 8080 EXPOSE 8080
# 触发点火
CMD ["./imagehost"] CMD ["./imagehost"]